View Issue Details

IDProjectCategoryView StatusLast Update
0023146mantisbtsecuritypublic2017-09-03 18:41
ReporteriamsecurityAssigned Todregad 
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version2.0.0-beta.1 
Target Version2.5.2Fixed in Version2.5.2 
Summary0023146: CVE-2017-12061: XSS in /admin/install.php script
Description

Some variables like $f_database, $f_db_username and $f_admin_username are under user control and don't sanitize well when displayed in error messages.

/admin/install.php:
202: $f_database_name = gpc_get( 'database_name', config_get( 'database_name', 'bugtracker' ) );
203: $f_db_username = gpc_get( 'db_username', config_get( 'db_username', '' ) );
...
216: $f_admin_username = gpc_get( 'admin_username', '' );
...
437: $g_db = ADONewConnection( $f_db_type );
438: $t_result = @$g_db->Connect( $f_hostname, $f_db_username, $f_db_password, $f_database_name );
...
444: print_test_result( BAD, false, 'Database user doesn\'t have access to the database ( ' . db_error_msg() . ' )' );

Because "admin" folder is accessed by anyone and not moved or denied after successfully Mantis installation many servers have that issue.

Steps To Reproduce

Browse to URLs:

http://mantis.server/admin/install.php?install=3&database_name=%3Ch1%3EXSS&admin_username=%3Ch1%3EXSS
or
http://mantis.server//admin/install.php?install=3&database_name=%3Cscript%3Ealert(%27XSS%27)%3C/script%3E&admin_username=%3Cscript%3Ealert(%27XSS%27)%3C/script%3E

TagsNo tags attached.

Relationships

parent of 0023175 closeddregad CVE-2017-12061: XSS in /admin/install.php script 

Activities

iamsecurity

iamsecurity

2017-07-24 01:30

reporter  

mantisbt-xss.jpg (70,776 bytes)
mantisbt-xss.jpg (70,776 bytes)
atrol

atrol

2017-07-25 17:11

developer   ~0057328

I confirm the issues in general, but I am wondering which browser you are using.
We use CSP headers as an additional way to prevent such kind of XSS.
I tried latest versions of Firefox, Chrome and Safari and was not able to reproduce the issue.
Will also try IE and Edge tomorrow.

vboctor

vboctor

2017-07-28 01:19

manager   ~0057347

The admin folder should be deleted as soon as MantisBT is installed. We should fix this issue, but having admin folder available after installation probably has other security issues.

dregad

dregad

2017-07-31 19:07

developer   ~0057365

I am requesting a CVE ID to be assigned for this issue.

@iamsecurity please let us know how you would like to be credited for the finding

dregad

dregad

2017-08-01 05:57

developer   ~0057368

CVE-2017-12061 has been assigned [scr368900]

dregad

dregad

2017-08-01 09:09

developer   ~0057371

The issue is also present in 1.3.11 and earlier. Tracking in 0023175

dregad

dregad

2017-08-04 19:18

developer   ~0057396

OSS security mailing list posting http://www.openwall.com/lists/oss-security/2017/08/01/1

Related Changesets

MantisBT: master-2.5 c73ae3d3

2017-08-01 07:00:04

dregad

Details Diff
Fix XSS in install.php (CVE-2017-12061)

aLLy from ONSEC (https://twitter.com/IamSecurity) reported this
vulnerability, allowing an attacker to inject arbitrary code through
crafted forms variables.

Sanitizing the database error message prior to output prevents the
attack.

Fixes 0023146
mod - admin/install.php Diff File

MantisBT: master-1.3.x 17f9b94f

2017-08-01 07:00:04

dregad

Details Diff
Fix XSS in install.php (CVE-2017-12061)

aLLy from ONSEC (https://twitter.com/IamSecurity) reported this
vulnerability, allowing an attacker to inject arbitrary code through
crafted forms variables.

Sanitizing the database error message prior to output prevents the
attack.

Fixes 0023146

Backported from c73ae3d3d4dd4681489a9e697e8ade785e27cba5
mod - admin/install.php Diff File

Issue History

Date Modified Username Field Change
2017-07-24 01:30 iamsecurity New Issue
2017-07-24 01:30 iamsecurity File Added: mantisbt-xss.jpg
2017-07-25 17:11 atrol Status new => feedback
2017-07-25 17:11 atrol Note Added: 0057328
2017-07-28 01:19 vboctor Note Added: 0057347
2017-07-31 19:07 dregad Note Added: 0057365
2017-08-01 00:49 iamsecurity Status feedback => new
2017-08-01 05:57 dregad Summary XSS in /admin/install.php script => CVE-2017-12061: XSS in /admin/install.php script
2017-08-01 05:57 dregad Note Added: 0057368
2017-08-01 07:58 dregad Assigned To => dregad
2017-08-01 07:58 dregad Status new => assigned
2017-08-01 07:58 dregad Product Version 2.5.1 => 2.0.0-beta.1
2017-08-01 07:58 dregad Target Version => 2.5.2
2017-08-01 08:04 dregad Issue cloned: 0023175
2017-08-01 08:04 dregad Relationship added related to 0023175
2017-08-01 09:09 dregad Relationship replaced parent of 0023175
2017-08-01 09:09 dregad Note Added: 0057371
2017-08-01 09:17 dregad Changeset attached => MantisBT master-2.5 c73ae3d3
2017-08-01 09:17 dregad Status assigned => resolved
2017-08-01 09:17 dregad Resolution open => fixed
2017-08-01 09:17 dregad Fixed in Version => 2.5.2
2017-08-01 09:17 dregad Changeset attached => MantisBT master-1.3.x 17f9b94f
2017-08-01 09:23 dregad View Status private => public
2017-08-04 19:18 dregad Note Added: 0057396
2017-08-06 07:17 atrol Category installation => security
2017-09-03 18:41 vboctor Status resolved => closed